[Snort-devel] snort distributed

Frank Knobbe frank at ...2134...
Mon Feb 7 09:47:44 EST 2005


On Mon, 2005-02-07 at 15:11 +0100, Martin Muench wrote:
> Also this is will work if you are running the snort sensor 
> as an normal IDS system, but you can't run it as an IPS in bridged mode
> (correct me if Iam wrong).

To do that, to have two bridging Snort IDS/IPS sensors independently
passing or blocking traffic, would require synchronization of any type
of state information. Just combining the input streams (as in
load-balancer, or even decoupling pcap and have it stream to one sensor,
is not sufficient.

Synchronizing all the information the preprocessors need (session
tables, flow information, etc) would appear to be a very high-bandwidth
and probably high CPU intensive task. As such, you will be sacrificing
Snort performance to the point where the sensors can't keep up with
capturing and analyzing traffic when they also have to synchronize state
tables with each other on every packet received.

It's not a problem with firewalls since they don't work as hard, but
IDSes are usually quite busy analyzing traffic, so this additional
burden will probably choke it.



The Distributed-Snort I had planned (and will still tackle eventually)
was a decoupling of input/preproc processes and the output plugins.
Since the bandwidth to alert outputs should be low, this I think is
doable.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20050207/956e34f6/attachment.sig>


More information about the Snort-devel mailing list